Controllerless Networks

we have a customer with several Instant clusters with VPN tunnels back to a Aruba 6000.

We appear to have a problem whereby clients associated to the master get pushed down the tunnel are ok.

If clients are associated to any of the other AP's in the cluster they appear to work.

I was wondering if you could terminate on the VC??

REGARDS

Pete

I'm not sure I understand but the VC is the device terminating the VPN tunnel to the 6000.  Not any other AP in the cluster.

Hi Seth,

that's what i thought but it appears to be terminating on the master!!

The master is your VC

HI Seth,

what is happening is that the VPN's are up and visible to the central controller.

There are two or three IAP's in the cluster however it is only clients that are associated to

the master IAP that are getting their traffic pushed down the VPN tunnel.

I am sure it's a config thing but TAC have checked the config and say it's ok.

The IAP's are connected to an access port on a switch but the guest VLAN is pushed down the tunnel.

So no need to make the ports trunk ports.

I am at a bit of a loss.

cheers

Pete

Ah!!!  The VLAN that is being used for the DHCP profile for the VPN traffic MUST be trunked on the wired network between the master IAP and the other IAPs

Otherwise each iAP will have to build it's own tunnel.

That can only happen if each AP is in standalone mode...thereby defeating the purpose of IAPs and virtual controller clusters.  

I wouldn't recommend that.  If you are using VPN, make sure the LAN is set to have that VLAN id trunked between all IAPs at the site.

I don't quite agree. I have a remote office from which I GRE-tunnel the guest-wireless VLAN back to HQ for internet handoff. The DHCP and routing for the Internet connection is past the master controller at the HQ.

The solution per TAC was to trunk the VLAN throughout the remote office or set up a tunnel for each iAP. Security concerns said no trunking, so...

The cluster has just one tunnel configured, but the 3600 at headquarters has one tunnel defined for each iAP.

(Messy in my opinion, but it's working fairly well)

If you could paste your IAP config, I'd appreciate it.  I might have to ahem - edit - my last statement!

Thanks for the info!

Here are the parts pertinent to the GRE tunnels.

(I've also left the captive-portal bits in in case whomever finds this artifact later might find that part useful)

The interesting bit is the "gre per-ap-tunnel" and the "ip dhcp guest = server-type Centralized,L2"

        gre per-ap-tunnel
        gre primary 10.21.0.65
        gre type 0
        mgmt-auth-server CLEARPASS
        name <VC name>
        virtual-controller-ip <VC IP>
        
        wlan access-rule guestW
          rule any any match any any any permit
        
        wlan auth-server CLEARPASS
          acctport 1813
          cppm-rfc3576-port 5999
          ip <clearpass IP>
          nas-ip <VC IP>
          port 1812
          rfc3576
        
        wlan captive-portal
          authenticated
          background-color 13421772
          banner-color 16777215
          banner-text "WinCo Foods Guest Network"
          terms-of-use "This network is not secure, and use is at your own risk"
          use-policy "Logging in as a registered user indicated that you have read, or at least agree to our Acceptable Use Policy"
        
        ip dhcp guest
          server-type Centralized,L2
          server-vlan 100
   
        routing-profile
          route 0.0.0.0 0.0.0.0 10.21.0.65

        wlan ssid-profile guestW
          auth-server CLEARPASS
          captive-portal internal
          essid guestW
          type guest
          vlan 100